2010年11月5日星期五
zz HOWTO Configure DHCP failover
http://consultancy.edvoncken.net/index.php/HOWTO_Configure_DHCP_failover
Note: the manpage for dhcpd.conf(5) states that dynamic BOOTP leases are not compatible with failover.
Therefore, BOOTP should be disabled in in pools using failover.
Note: for security reasons, DNS updates need to be "signed" using a public/private key mechanism.
The "key ddns-update" statement specifies that DHCP will use a key named "ddns-update" during update requests.
For more information on this key, please refer to HOWTO Configure Dynamic DNS.
The ISC DHCP server currently supports failover using a maximum of 2 servers: primary and secondary. This is an active/active setup; a simple form of load balancing is used to spread the load across both servers.
In this example, we'll be setting up failover DHCP on two servers, 192.168.123.1 and 192.168.123.2. These servers also run DNS and NTP. Dynamic clients will get an address in the range 192.168.123.100-199. Static leases are defined for several networked devices.
Since the ISC DHCP server allows the use of "include-files" in the configuration, we will use them to help keep the configurations simple and in sync across servers.
Contents[hide] |
Installation
Install the following package, for example using yum:
dhcp
This example is based on version dhcp-3.0.5-18.el5.
Configuration
The configuration consists of several sections, each stored in a separate file to make maintenance easier.
Failover parameters
For the Primary, define the following failover parameters in /etc/dhcpd.conf_primary:
##########################
# DHCP Failover, Primary #
##########################
failover peer "example" { # Failover configuration
primary; # I am the primary
address 192.168.123.1; # My IP address
port 647;
peer address 192.168.123.2; # Peer's IP address
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128; # Leave this at 128, only defined on Primary
load balance max seconds 3;
}
For the Secondary, define the following failover parameters in /etc/dhcpd.conf_secondary:
############################
# DHCP Failover, Secondary #
############################
failover peer "example" { # Fail over configuration
secondary; # I am the secondary
address 192.168.123.2; # My ip address
port 647;
peer address 192.168.123.1; # Peer's ip address
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
load balance max seconds 3;
}
Subnet declaration
Write a subnet declaration using our failover pool in /etc/dhcpd.conf_subnet. This section is identical on Primary and Secondary:
subnet 192.168.123.0 netmask 255.255.255.0 # zone to issue addresses from
{
pool {
failover peer "example"; # Pool for dhcp leases with failover bootp not allowed
deny dynamic bootp clients;
range 192.168.123.100 192.168.123.190;
}
pool { # Accomodate our bootp clients here; no replication and failover
range 192.168.123.191 192.168.123.199;
}
allow unknown-clients;
authoritative;
option routers 192.168.123.254;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.123.255;
option domain-name "example.local.";
option domain-name-servers 192.168.123.1, 192.168.123.2;
option ntp-servers 192.168.123.1, 192.168.123.2;
option netbios-node-type 8;
default-lease-time 300;
max-lease-time 600;
filename "/pxelinux.0";
next-server 192.168.123.1;
}
Therefore, BOOTP should be disabled in in pools using failover.
Dynamic DNS
If you are configuring Dynamic DNS, write the settings in /etc/dhcpd.conf_subnet. This section is identical on Primary and Secondary:
ddns-update-style interim;
ddns-updates on;
ddns-domainname "example.local.";
ignore client-updates;
# Forward zone for DNS updates
zone example.local
{
primary 192.168.123.1; # update the primary DNS
key ddns-update; # key to use for the update
}
# Reverse zone for DNS updates
zone 123.168.192.in-addr.arpa
{
primary 192.168.123.1; # update the primary DNS
key ddns-update; # key for update
}
The "key ddns-update" statement specifies that DHCP will use a key named "ddns-update" during update requests.
For more information on this key, please refer to HOWTO Configure Dynamic DNS.
Static leases
For more flexible IP address management, configure all devices to use DHCP and set up static leases for these devices.
In /etc/dhcpd.conf_static, create all static leases that you may need (outside of the DHCP/BOOTP range!). Again, this section is identical on Primary and Secondary:
# Axis Security Camera
host cam-reception {
hardware ethernet 00:40:12:c0:ff:ee;
fixed-address 192.168.123.200;
}
# Axis Security Camera
host cam-fireexit {
hardware ethernet 00:40:fe:ed:fa:ce;
fixed-address 192.168.123.201;
}
# Axis Security Camera
host cam-frontdoor {
hardware ethernet 00:40:de:ad:be:ef;
fixed-address 192.168.123.202;
}
Overall configuration
The configuration of the Primary and Secondary DHCP servers is mostly identical, except for the Failover parameters. By keeping the sub-configurations in sync across servers (perhaps using rsync), maintenance is reduced to a minimum.
The overall configuration file, /etc/dhcpd.conf, is only slightly different on Primary and Secondary.
Configuring /etc/dhcpd.conf on the Primary
# DHCP Server - Configuration file for Primary # # File $Id: dhcpd.conf,v 1.21 2009/07/09 16:26:57 root Exp root $ # Global configuration set vendorclass = option vendor-class-identifier; # Dynamic DNS Updates include "/etc/ddns-update.dnskey"; include "/etc/dhcpd.conf_ddns"; # DHCP Failover, Primary include "/etc/dhcpd.conf_primary"; # Subnet declaration include "/etc/dhcpd.conf_subnet"; # Static IP addresses include "/etc/dhcpd.conf_static"; # EOF
Configuring /etc/dhcpd.conf on the Secondary
# DHCP Server - Configuration file for Secondary # # File $Id: dhcpd.conf,v 1.9 2009/07/09 16:31:20 root Exp root $ # Global configuration set vendorclass = option vendor-class-identifier; # Dynamic DNS Updates include "/etc/ddns-update.dnskey"; include "/etc/dhcpd.conf_ddns"; # DHCP Failover, Secondary include "/etc/dhcpd.conf_secondary"; # Subnet declaration include "/etc/dhcpd.conf_subnet"; # Static IP addresses include "/etc/dhcpd.conf_static"; # EOF
Miscellaneous
SElinux considerations
By default, SELinux policy does not allow the BIND daemon (named) to write to files labeled with the name_zone_t type, which is used for master zone files. The zone files should be stored under /var/named/chroot/var/named/data or /var/named/chroot/var/named/dynamic.
# restorecon -R -v /var/named/chroot/var/named/data # restorecon -R -v /var/named/chroot/var/named/dynamic
This will reset the zone files to the named_cache_t type, hopefully solving the "SELinux is preventing named (named_t) "unlink"" error messages.
Firewall settings
Your firewall should allow inbound traffic on 69/UDP, 69/TCP and 647/TCP. Sample entries for /etc/sysconfig/iptables:
# DHCP server -A INPUT -p udp -m udp --dport 69 -j ACCEPT -A INPUT -p tcp -m tcp --dport 69 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 647 -j ACCEPT
Starting the service
On both DHCP Primary and Secondary, run the following commands as root:
# chkconfig dhcpd on # service dhcpd start
References
- DHCP manual pages: dhcpd.conf(5), dhcpd-options(5)
- How To Set Up DHCP Failover On Centos 5.1
- https://fedorahosted.org/managing-confined-services/wiki/ContentSpecification
See Also
Navigation
- HOWTO Design a fault-tolerant DHCP + DNS solution
- HOWTO Configure DHCP failover
- HOWTO Configure Dynamic DNS
- HOWTO Manage Dynamic DNS with nsupdate
订阅:
评论 (Atom)